Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Trouble with OpenVPN and policy-based routing - pfSense eating syn/acks

    Scheduled Pinned Locked Moved Firewalling
    2 Posts 2 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hcsteve
      last edited by

      I have two pfSense boxes, one running 2.0.2 (central site) and one running 2.0 (remote site).  I have traffic going over an OpenVPN tunnel between the two.  The remote site has a policy-routing rule on the LAN that sends all traffic from the LAN over the OpenVPN tunnel.  The remote site also has an "allow all" rule on the OpenVPN interface.  Connections initiated from the remote site work fine.  Connections initiated from the central site die.

      Here is the output of two tcpdumps from the remote site.  vr0 is the LAN interface and ovpnc1 is the OpenVPN tunnel interface.  192.0.2.1 is an IP at the central site and 10.2.100.20 is an IP at the remote site.  This connection was initiated by 192.0.2.1, which shows the connection hanging.

      tcpdump -i ovpnc1 -n "host 192.0.2.1"
      tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on ovpnc1, link-type NULL (BSD loopback), capture size 96 bytes
      14:35:14.530362 IP 192.0.2.1.35605 > 10.2.100.20.443: Flags [s], seq 2292351839, win 5840, options [mss 1382,sackOK,T
      S val 3162135595 ecr 0,nop,wscale 7], length 0
      
      [code]tcpdump -i vr0 -n "host 192.0.2.1"
      tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on vr0, link-type EN10MB (Ethernet), capture size 96 bytes
      14:35:14.530530 IP 192.0.2.1.35605 > 10.2.100.20.443: Flags [s], seq 2292351839, win 5840, options [mss 1382,sackOK,TS val 3162135595 ecr 0,nop,wscale 7], length 0
      14:35:14.531452 IP 10.2.100.20.443 > 192.0.2.1.35605: Flags [S.], seq 347545913, ack 2292351840, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 12690977 ecr 3162135595], length 0
      14:35:17.544084 IP 10.2.100.20.443 > 192.0.2.1.35605: Flags [S.], seq 347545913, ack 2292351840, win 8192, options [m
      ss 1460,nop,wscale 8,sackOK,TS val 12691278 ecr 3162135595], length 0
      
      You can see that the initial SYN comes in fine through the OpenVPN interface, and is transmitted onto the LAN.  The reply SYN/ACK comes in on the LAN interface but never shows up on the OpenVPN interface.  Nothing relevant shows up in the firewall logs.
      
      I tried changing the state type on the rules on the LAN and the OpenVPN interface from the default "keep state" to both "sloppy state" and "no state" but I observed no difference in behavior.  I also tried setting the TCP flags on the LAN rule to "any flags" but that didn't seem to make a difference either.
      
      Any suggestions for other things to try?[/s][/code][/s]
      
      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Does the target firewall (on 10.2.100.x) have a route back to 192.0.2.0/24?

        OpenVPN interfaces don't get reply-to on their rules (They do on 2.1 iff you have the interface assigned and only have rules on the interface tab to match that inbound traffic), which means that the traffic follows the routing table, it doens't go back out the way it came in.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.